Postfix : 454 4.7.1 Relay access denied - postfix-mta

I configured my mail server following mostly Workaround tutorial, on my server, named KS1.
I have a second server, named KS2, which hosts a piwigo gallery.
When a user susbcribes to this gallery, piwigo sends an email. I'v configured my KS1 serveur as smtp host :
$conf['smtp_host'] = 'ks1.my.domain';
But the email is not sent :
Oct 10 11:37:48 ks1 postfix/smtpd[19090]: connect from ks2.my.domain[2001:1234::1]
Oct 10 11:37:48 ks1 postfix/smtpd[19090]: NOQUEUE: reject: RCPT from ks2.my.domain[2001:1234::1]: 454 4.7.1 <user#externail.domain>: Relay access denied; from=<piwigo#my.domain> to=<user#externail.domain> proto=ESMTP helo=<galerie.my.domain>
Oct 10 11:37:48 ks1 postfix/smtpd[19090]: disconnect from ks2.my.domain[2001:1234::1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7
I'v added in main.cf, the KS2 ip4 and ip6 in mynetworks, but still rejected :
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 1.2.3.4 [2001:1234::1]/128
smtpd_recipient_restrictions = reject_unauth_destination,check_policy_service unix:private/quota-status,check_recipient_access mysql:/etc/postfix/mysql-forbidden-users.cf
When I send an email with the same script, but to an existing user on KS1, email gets to the local mailbox, and the logs are the following :
Oct 8 20:24:58 ks1 postfix/smtpd[8685]: connect from ks2.my.domain[2001:1234::1]
Oct 8 20:24:58 ks1 postfix/smtpd[8685]: B35CA1A0062: client=ks2.my.domain[2001:1234::1], sasl_method=PLAIN, sasl_username=localuser#my.domain
Oct 8 20:24:58 ks1 postfix/cleanup[8700]: B35CA1A0062: message-id=<4352cbac6dc0b6f72e586c170587eb99#galerie.my.domain>
Oct 8 20:24:59 ks1 postfix/qmgr[22162]: B35CA1A0062: from=<piwigo#my.domain>, size=1264, nrcpt=1 (queue active)
Oct 8 20:24:59 ks1 dovecot: lmtp(8731): Connect from local
Oct 8 20:24:59 ks1 postfix/smtpd[8685]: disconnect from ks2.my.domain[2001:1234::1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Oct 8 20:24:59 ks1 dovecot: lmtp(localuser#my.domain)<8731><KNmUBXtZf18bIgAAwVE1rw>: sieve: msgid=<4352cbac6dc0b6f72e586c170587eb99#galerie.my.domain>: stored mail into mailbox 'INBOX'
Oct 8 20:24:59 ks1 postfix/lmtp[8706]: B35CA1A0062: to=<localuser#my.domain>, orig_to=<localuser#my.domain>, relay=ks1.my.domain[private/dovecot-lmtp], delay=0.51, delays=0.38/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 <localuser#my.domain> KNmUBXtZf18bIgAAwVE1rw Saved)
Oct 8 20:24:59 ks1 dovecot: lmtp(8731): Disconnect from local: Client has quit the connection (state=READY)
Oct 8 20:24:59 ks1 postfix/qmgr[22162]: B35CA1A0062: removed
I also have spf :
"v=spf1 a mx ?all"
What did I miss ?
If you need extra settings, or logs, please specify what you need to debug.
Regards

Related

Email header with multiple received fields: How can this happen and can this be used to fight SPAM

I often receive fishing /SPAM emails with multiple received fields.
First, I'd like to understand how one email header can have more than one received field.
Second, I'd like to know if I can use this to fight SPAM.
Here is an example:
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on myhosting.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=3.5 tests=HTML_MESSAGE autolearn=ham
version=3.3.2
X-Spam-ASN:
X-Original-To: my#email.rs
Delivered-To: my#email.rs
Received: from posta.abak.si (posta.abak.si [84.255.212.92])
by myhosting.com (Postfix) with ESMTPS id 522CA80DC8
for ; Wed, 8 May 2019 14:31:59 +0200 (CEST)
Authentication-Results: myhosting.com;
dmarc=none (p=NONE sp=NONE) smtp.from=mk.kema-on.net header.from=mk.kema-on.net;
spf=none (sender IP is 84.255.212.92) smtp.mailfrom=dime.mitreski#mk.kema-on.net smtp.helo=posta.abak.si
Received-SPF: none (myhosting.com: no valid SPF record)
Received: from localhost (localhost [127.0.0.1])
by posta.abak.si (Postfix) with ESMTP id 2C09E1E6A7D7
for ; Wed, 8 May 2019 14:35:06 +0200 (CEST)
Received: from posta.abak.si ([127.0.0.1])
by localhost (posta.abak.si [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id dw1MvahvfmXL for ;
Wed, 8 May 2019 14:35:05 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by posta.abak.si (Postfix) with ESMTP id EB2B21E6A3C6
for ; Wed, 8 May 2019 14:30:12 +0200 (CEST)
X-Virus-Scanned: amavisd-new at posta.abak.si
Received: from posta.abak.si ([127.0.0.1])
by localhost (posta.abak.si [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id luUYSdWOdHLE for ;
Wed, 8 May 2019 14:30:12 +0200 (CEST)
Received: from IP-129-13.dataclub.eu (unknown [84.38.129.13])
by posta.abak.si (Postfix) with ESMTPA id B18CD1E6A7A6
for ; Wed, 8 May 2019 14:25:39 +0200 (CEST)
Content-Type: multipart/alternative; boundary="===============0253676305=="
MIME-Version: 1.0
Subject: Warning: you have (3) Undelivered messesges
To: my#email.rs
From: "Webmaster"
Date: Wed, 08 May 2019 15:25:37 +0300
Message-Id:
Message Body
Every mail server that processes an email adds its own Received field to the header. It is normal for emails to pass through several email servers when traveling across the internet from the sender's computer to the final destination.
https://www.rfc-editor.org/rfc/rfc5321#section-4.4
When an SMTP server receives a message for delivery or further
processing, it MUST insert trace ("time stamp" or "Received")
information at the beginning of the message content,
Looking at the first Received field,
Received: from IP-129-13.dataclub.eu (unknown [84.38.129.13])
by posta.abak.si (Postfix) with ESMTPA id B18CD1E6A7A6
for ; Wed, 8 May 2019 14:25:39 +0200 (CEST)
you will notice that it says which server it received the mail from (the "FROM" clause), and which server received it (the "BY" clause").
As you read through the list of Received fields in the header you posted, you will notice that they are all linked in this fashion.

Opendkim marking incomming messages as dkim=fail

I am configuring opendkim+postfix. It is working OK and sent messages are correctly signed but the incomming messages are all marked as dkim=fail reason="signature verification failed"
How con I debug this problem?
Return-Path: <sender#gmail.com>
Delivered-To: recipient#mydomain.com
Received: from localhost (mailserver [127.0.0.1])
by mydomain.com (Postfix) with SMTP id 4DDF93F966
for <recipient#mydomain.com>; Tue, 24 Oct 2017 13:56:43 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mydomain.com 4DDF93F966
Authentication-Results: mydomain.com;
dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=#gmail.com header.b="jmdDmXQb"
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.215.43; helo=mail-lf0-f43.google.com; envelope-from=sender#gmail.com; receiver=recipient#mydomain.com
DMARC-Filter: OpenDMARC Filter v1.3.2 mydomain.com 2DBE03F963
Authentication-Results: mail.mydomain.com; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.mydomain.com; spf=pass smtp.mailfrom=sender#gmail.com
The syslog reports this which looks OK
Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: [209.85.215.45] [209.85.215.45] not internal
Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: not authenticated
Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: DKIM verification successful
But later it adds:
Oct 24 14:08:43 mailzener postfix/cleanup[3194]: 6CC243F95E: message-id=<CAMXuvOM+jKLkE=0FrQ+cSqFesmPQujpHoVsfH9G_URg9uYtm1g#mail.gmail.com>
Oct 24 14:08:43 mailzener opendkim[3325]: 6CC243F95E: no signing table match for 'sender#gmail.com'
Oct 24 14:08:43 mailzener opendkim[3325]: 6CC243F95E: bad signature data
My opendkim configuration file is this:
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode sv
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
#InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891#localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
OversignHeaders From
LogWhy Yes
X-Header yes
MilterDebug 9
ResolverTracing Yes
As you can see from the Queue ID 4A29F3F938 vs 6CC243F95E, these are two different mails.
4A29F3F938 is incoming and is verifying OK. 6CC243F95E is outgoing, and I guess opendkim tries to sign the mail. You need to elaborate on your processing of the mail in the lines inbetween :)

How to send email via smtp server from iis 7 & php 7.1, not working with phpmailer

Using IIS 7 and PHP7.1
We i managed to connect my server to our SMTP server (on a different IP Address)
I did this by quiet simply editing my php.ini file
SMTP = mail.<Domain>.co.uk
smtp_port = 25
sendmail_from = mail#<Domain>.co.uk
And by calling a php script, an email was sent
<?php
$msg = "Hello Do I Work Im From the Server";
mail("joe#<Domain>.co.uk","My subject",$msg);
?>
This worked providing that the email recipient was on the same domain.
However the request came for emails to be sent to anyone. When i tried this, using above code and settings i got this error
PHP Warning: mail(): SMTP server response: 550 5.7.1 Unable to relay in …
Having a quick read i found that PHP 7.1 don't allow smtp passwords which the lack caused the above error. Id need a external mail library
1) Was this correct
i downloaded and installed phpmailer (i can change this if required) and ran the following script
<?php
require_once "PHPMailerAutoload.php";
$mail = new PHPMailer;
$mail->SMTPDebug = 3;
$mail->isSMTP();
$mail->Host = "mail.<Domain>.co.uk";
$mail->SMTPAuth = true;
$mail->Username = "mail#<Domain>.co.uk";
$mail->Password = "<Password>";
$mail->SMTPSecure = "tls";
$mail->Port = 25;
$mail->From = "mail#<Domain>.co.uk";
$mail->FromName = "Mail";
$mail->addAddress("joe#<Domain>.co.uk");
$mail->addReplyTo("mail#<Domain>.co.uk", "Reply");
$mail->isHTML(true);
$mail->Subject = "Test";
$mail->Body = "From the Server";
if(!$mail->send())
{
echo "Mailer Error: " . $mail->ErrorInfo;
}
else
{
echo "Message has been sent successfully";
}
?>
I ran this and got the error
2017-05-19 11:57:52 Extension missing: openssl Mailer Error: Extension missing: openssl
So i uncommented this in my php.ini
extension=php_openssl.dll
Reran the script and got
2017-05-19 11:59:14 Connection: opening to mail.<Domain>.co.uk:25, timeout=300, options=array ( ) 2017-05-19 11:59:14 Connection: opened 2017-05-19 11:59:14
SERVER -> CLIENT: 220 PATHEX01.pathways.local Microsoft ESMTP MAIL Service ready at Fri, 19 May 2017 12:59:14 +0100 2017-05-19 11:59:14
CLIENT -> SERVER: EHLO www.<Domain>.co.uk 2017-05-19 11:59:14
SERVER -> CLIENT: 250-PATHEX01.pathways.local Hello [146.255.105.211] 250-SIZE 37748736 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-X-ANONYMOUSTLS 250-AUTH NTLM 250-X-EXPS GSSAPI NTLM 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 XRDST 2017-05-19 11:59:14
CLIENT -> SERVER: STARTTLS 2017-05-19 11:59:14
SERVER -> CLIENT: 220 2.0.0 SMTP server ready 2017-05-19 11:59:15 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [C:\inetpub\wwwroot\EmailTest\class.smtp.php line 369] 2017-05-19 11:59:15 SMTP Error: Could not connect to SMTP host. 2017-05-19 11:59:15
CLIENT -> SERVER: QUIT 2017-05-19 11:59:15
SERVER -> CLIENT: 2017-05-19 11:59:15 SMTP ERROR: QUIT command failed: 2017-05-19 11:59:15 Connection: closed 2017-05-19 11:59:15 SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting Mailer Error: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting
Can anyone suggest what I'm doing wrong? Thanks

AMQP server on localhost:5672 is unreachable: [Errno 111] ECONNREFUSED

i am trying to add additional compute node on different virtual machine to the pre-installed openstack. I disabled the firewall services,enable to ping other virtual machine.. but still compute node is not able to register with Rabbitmq service running on controller node..
Here it is my nova.conf file...
[DEFAULT]
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
verbose=True
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
volumes_path=/var/lib/nova/volumes
enabled_apis=ec2,osapi_compute,metadata
rpc_backend = rabbit
auth_strategy = keystone
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
my_ip = #compute node ip
rabbit_host= #controller_node_ip
rabbit_port = 5672
rabbit_userid = stackrabbit
rabbit_password = devstack
rabbit_use_ssl = False
rabbit_virtual_host=/
[keystone_authtoken]
auth_uri = http://controller_node_ip:5000
auth_url = http://controller_node_ip:35357
memcached_servers = controller_node_ip:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = devstack
auth_host = controller_node_ip
auth_port = 35357
auth_protocol = http
[vnc]
enabled = True
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = $my_ip
novncproxy_base_url = http://controller_node_ip:6080/vnc_auto.html
[glance]
api_servers = http://controller_node_ip:9292
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
Here it is my nova-compute.log:
2016-09-20 19:08:57.701 7201 INFO oslo.messaging._drivers.impl_rabbit [-] Reconnecting to AMQP server on localhost:5672
2016-09-20 19:08:57.701 7201 INFO oslo.messaging._drivers.impl_rabbit [-] Delaying reconnect for 1.0 seconds...
2016-09-20 19:08:58.708 7201 ERROR oslo.messaging._drivers.impl_rabbit [-] AMQP server on localhost:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 30 seconds...
Please suggest me something so that i can resolve this issue...
Thank you in advance...
I encountered this when expanding my nova-compute estate (although I'm not using Devstack).
In my newly created compute server, the following was seen in /var/log/nova/nova-compute.log : -
2017-11-14 11:40:53.287 52408 ERROR oslo.messaging._drivers.impl_rabbit [req-adfd6dc7-fe8c-4de5-8401-58d325c3b4a8 - - - - -] [be6e0302-dfc8-4512-8b48-0d824fc6ea14] AMQP server on 127.0.0.1:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 1 seconds. Client port: None
The solution was quite simple. I checked /var/log/sysinfo (I run ubuntu; /var/log/messages for those on Redhat systems) and could see the following lines:-
Nov 14 12:01:48 compute2 systemd[1]: Started OpenStack Compute.
Nov 14 12:01:49 compute2 nova-compute[3222]: Traceback (most recent call last):
Nov 14 12:01:49 compute2 nova-compute[3222]: File "/usr/bin/nova-compute", line 10, in <module>
Nov 14 12:01:49 compute2 nova-compute[3222]: sys.exit(main())
Nov 14 12:01:49 compute2 nova-compute[3222]: File "/usr/lib/python2.7/dist-packages/nova/cmd/compute.py", line 42, in main
Nov 14 12:01:49 compute2 nova-compute[3222]: config.parse_args(sys.argv)
Nov 14 12:01:49 compute2 nova-compute[3222]: File "/usr/lib/python2.7/dist-packages/nova/config.py", line 52, in parse_args
Nov 14 12:01:49 compute2 nova-compute[3222]: default_config_files=default_config_files)
Nov 14 12:01:49 compute2 nova-compute[3222]: File "/usr/lib/python2.7/dist-packages/oslo_config/cfg.py", line 2355, in __call__
Nov 14 12:01:49 compute2 nova-compute[3222]: self._namespace._files_permission_denied)
Nov 14 12:01:49 compute2 nova-compute[3222]: oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/nova/nova.conf
Nov 14 12:01:49 compute2 systemd[1]: nova-compute.service: Main process exited, code=exited, status=1/FAILURE
Which shows that my /etc/nova/nova.conf file was unreadable. It turns out this was because I used scp to copy the nova.conf from my first compute to my new machine, and the file was read-only to the root user. The solution was to (on my new compute)
cd /etc/nova/
chown nova:nova nova.conf
service nova-compute restart

Postfix: SASL authentication failure: No worthy mechs found

I configured postfix to send mail through a microsoft exchange server with SMTP authentication and TLS. In the log of the emails I see this error:
postfix / smtp [ 11191 ] : warning: SASL authentication failure: No worthy mechs found
postfix / smtp [ 11191 ] : B5BEB22019E : <my#mydomain.it> to = , relay = my.relay.host , delay = 0:07 , delays = 0.04/0.02/0.01/0 , dsn
= 4.7.0 , status = deferred ( SASL authentication failed , can not authenticate to server my.relay.host no mechanism available )
The postfix configuration is the default one , I added these lines:
relayhost = my.relay.host
smtp_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash :/ etc / postfix / sasl_passwd
smtpd_use_tls = yes
The libraries cyrus -sasl and cyrus -sasl -devel cyrus- sasl- ntlm are installed , if I do a telnet to the server microsoft get:
220 my.relay.host Microsoft ESMTP MAIL Service ready at Wed, November 27 2013 10:20:40 +0100
ehlo
250 - MY.RELAY.HOST Hello [ XXX.XXX.XXX.XXX ]
250 -SIZE 10485760
250-PIPELINING
250 - DSN
250 - ENHANCEDSTATUSCODES
250 -AUTH LOGIN
250 - 8BITMIME
250-BINARYMIME
250 CHUNKING
The administrator of the relay server tells me that authentication is NTLM , any ideas?
Thanks Stefano

Resources